Created
October 20, 2010 02:00
-
-
Save lfborjas/635614 to your computer and use it in GitHub Desktop.
A simple script to decode sinatra sessions and tamper them
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'sinatra' | |
enable :sessions | |
#cf: http://rack.rubyforge.org/doc/Rack/Session/Cookie.html | |
class Visits | |
@@global = 0 | |
def self.global; @@global; end | |
def self.add | |
@@global +=1 | |
end | |
end | |
get '/' do | |
session[:visits] ||= 0 | |
session[:visits] += 1 | |
Visits.add #una visita global (server) | |
haml :index | |
end | |
#esto es una template inline: | |
__END__ | |
@@index | |
!!! | |
%html | |
%head | |
%meta{:charset=>"utf-8"} | |
%title Session test | |
%body | |
#global | |
%h2 Visitas en total | |
=Visits.global | |
#local | |
%h2 Visitas tuyas | |
=session[:visits] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Used alongside the Tamper-Data FF extension to show about the downsides of cookies | |
#For sinatra or rack based apps that use cookie-backed sessions: #http://rack.rubyforge.org/doc/Rack/Session/Cookie.html | |
require 'base64' | |
require 'readline' | |
original = Marshal.load Base64.decode64 Readline.readline 'original: ' | |
p "The original session hash is #{original.inspect}" | |
hack = Base64.encode64 Marshal.dump eval Readline.readline 'Your hacked hash: ' | |
p "Your hash as a base64 encoded marshaled object es #{hack}" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment